Skip to content

header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate success or failure based on the returning HTTP status code.

License

Notifications You must be signed in to change notification settings

cytopia/header-fuzz

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

header-fuzz

Version Language License

Build Status

header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate success or failure based on the returning HTTP status code.

🎉 Install

sudo make install

🚫 Uninstall

sudo make uninstall

💻 Usage

$ header-fuzz -h

Usage: header-fuzz [-H <header>] [-i <code>] [-p <proxy>] [-f <FUZZ>] -w </path/wordlist> -u <url>
       header-fuzz -h
       header-fuzz -v

Description:
    header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate
    success or failure based on the returning HTTP status code.

Required arguments::
    -w     Path to wordlist
    -u     URL to test against.

Optional arguments:
    -f     Fuzz string. Insert, prepend or apped %FUZZ% into your string.
           Default: %FUZZ%
    -H     Header name to fuzz.
           Default: Host
    -i     Comma separated string HTTP status codes to ignore.
           Default: 403
    -p     Use proxy for all requests.

Misc arguments:
    -h     Print this help.
    -v     Print version.

💡 Examples

Find virtual hosts

The following examples are trying to find various domains and subdomains based on a HTTP status different than 403:

# Try to guess the domain
header-fuzz -H Host -f '%FUZZ%.tld'            -w /path/to/domains.txt -u 'http://10.0.0.1'

# Try to guess a subdomain
header-fuzz -H Host -f '%FUZZ%.domain.tld'     -w /path/to/domains.txt -u 'http://10.0.0.1'

# Try to guess part of a subdomain
header-fuzz -H Host -f 'pre-%FUZZ%.domain.tld' -w /path/to/domains.txt -u 'http://10.0.0.1'
header-fuzz -H Host -f '%FUZZ%-suf.domain.tld' -w /path/to/domains.txt -u 'http://10.0.0.1'

Find protected robots.txt or sitemap.xml

Some sites only server the robots.txt or sitemap.xml if requested by specifc bot useragent, such as google bot and others. If none of these files exist, you can try to check them with different user agents.

header-fuzz -H User-Agent -w /path/to/useragents.txt -u 'http://10.0.0.1/robots.txt'
header-fuzz -H User-Agent -w /path/to/useragents.txt -u 'http://10.0.0.1/sitemap.xml'

IP blacklisting

Sometimes IP blacklisting is poorly implemented base on the X-FOrwarded-For header. Try to fuzz this.

header-fuzz -H X-Forwarded-For -w /path/to/ip-addresses.txt -u 'http://10.0.0.1'

Proxy through Burpsuite

Send all your requests through Burp to later also quickly check the returned file sizes or status codes and triage further based on this

header-fuzz -p http://localhost:8080 -w /path/to/wordlist.txt -u 'http://10.0.0.1'

🔒 cytopia sec tools

Below is a list of sec tools and docs I am maintaining.

Name Category Language Description
offsec Documentation Markdown Offsec checklist, tools and examples
header-fuzz Enumeration Bash Fuzz HTTP headers
smtp-user-enum Enumeration Python 2+3 SMTP users enumerator
urlbuster Enumeration Python 2+3 Mutable web directory fuzzer
netcat Pivoting Python 2+3 Cross-platform netcat
badchars Reverse Engineering Python 2+3 Badchar generator
fuzza Reverse Engineering Python 2+3 TCP fuzzing tool

:octocat: Contributing

See Contributing guidelines to help to improve this project.

❗ Disclaimer

This tool may be used for legal purposes only. Users take full responsibility for any actions performed using this tool. The author accepts no liability for damage caused by this tool. If these terms are not acceptable to you, then do not use this tool.

📄 License

MIT License

Copyright (c) 2020 cytopia

About

header-fuzz allows you to fuzz any HTTP header with a wordlist and evaluate success or failure based on the returning HTTP status code.

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published